Обсуждение: pg_monitor role description
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/13/default-roles.html Description: "This role is a member of pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables." Is it correct sentence? It seems for me that pg_read_all_stats is a member of pg_monitor. But not vice versa.
On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote: > "This role is a member of pg_read_all_settings, pg_read_all_stats and > pg_stat_scan_tables." > Is it correct sentence? > It seems for me that pg_read_all_stats is a member of pg_monitor. But not > vice versa. Here is what I am getting: =# \dgS pg_monitor List of roles Role name | Attributes | Member of ------------+--------------+-------------------------------------------------------------- pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} =# \dgS pg_read_all_data List of roles Role name | Attributes | Member of ------------------+--------------+----------- pg_read_all_data | Cannot login | {} So the docs look correct to me. -- Michael
Вложения
On Thu, May 20, 2021 at 3:01 PM Michael Paquier <michael@paquier.xyz> wrote: > > On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote: > > "This role is a member of pg_read_all_settings, pg_read_all_stats and > > pg_stat_scan_tables." > > Is it correct sentence? > > It seems for me that pg_read_all_stats is a member of pg_monitor. But not > > vice versa. > > Here is what I am getting: > =# \dgS pg_monitor > List of roles > Role name | Attributes | Member of > ------------+--------------+-------------------------------------------------------------- > pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} > > =# \dgS pg_read_all_data > List of roles > > Role name | Attributes | Member of > ------------------+--------------+----------- > pg_read_all_data | Cannot login | {} > > So the docs look correct to me. Indeed. In other words pg_monitor is the sum of the authorizations given by all those roles.
On 20.05.2021 11:54, Julien Rouhaud wrote:
On Thu, May 20, 2021 at 3:01 PM Michael Paquier <michael@paquier.xyz> wrote:On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote:"This role is a member of pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables." Is it correct sentence? It seems for me that pg_read_all_stats is a member of pg_monitor. But not vice versa.Here is what I am getting: =# \dgS pg_monitor List of roles Role name | Attributes | Member of ------------+--------------+-------------------------------------------------------------- pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} =# \dgS pg_read_all_data List of roles Role name | Attributes | Member of ------------------+--------------+----------- pg_read_all_data | Cannot login | {} So the docs look correct to me.Indeed. In other words pg_monitor is the sum of the authorizations given by all those roles.
Let me try one more time. What is correct from the English language point of view: 1. Julien Rouhaud is a member of PostgreSQL Community. or 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. Or both forms are correct? I think that 1 is correct. And column header in a \du output must be something like 'members' instead of 'member of'.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
Pavel Luzanov <p.luzanov@postgrespro.ru> writes: > Let me try one more time. > What is correct from the English language point of view: > 1. Julien Rouhaud is a member of PostgreSQL Community. > or > 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. > Or both forms are correct? > I think that 1 is correct. You're right about that ... > And column header in a \du output must be something like 'members' instead of 'member of'. ... but this does not follow, because it's a poor analogy. "Member of" means "these role(s) have been GRANT'ed to pg_monitor". As a more typical use-case, there might be a role "sysadmins" that holds assorted privileges, and then certain individual users are granted that role. Nobody would quibble with seeing List of roles Role name | Attributes | Member of -----------+--------------+------------- bob | | {sysadmins} joe | | {sysadmins} sysadmins | Cannot login | {} and I think most would agree that titling the column "Members" would be backwards. regards, tom lane
On Thu, 2021-05-20 at 12:03 -0400, Tom Lane wrote: > List of roles > Role name | Attributes | Member of > -----------+--------------+------------- > bob | | {sysadmins} > joe | | {sysadmins} > sysadmins | Cannot login | {} > > and I think most would agree that titling the column "Members" would > be backwards. Right. you have to read that like: Role name (bob) with attributes () is a member of (sysadmins). Yours, Laurenz Albe
Hello,
On 20.05.2021 19:03, Tom Lane wrote:
Pavel Luzanov <p.luzanov@postgrespro.ru> writes:Let me try one more time. What is correct from the English language point of view: 1. Julien Rouhaud is a member of PostgreSQL Community. or 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. Or both forms are correct? I think that 1 is correct.You're right about that ...
So, is it correct to change description of pg_monitor role from:
"Read/execute various monitoring views and functions. This role is a member ofpg_read_all_settings
,pg_read_all_stats
andpg_stat_scan_tables
."
to
"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." I can prepare a simple patch.
And column header in a \du output must be something like 'members' instead of 'member of'.... but this does not follow, because it's a poor analogy. "Member of" means "these role(s) have been GRANT'ed to pg_monitor".
Yes, I understood this point and agree.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
Hello,
On 20.05.2021 20:27, Pavel Luzanov wrote:
So, is it correct to change description of pg_monitor role from:"Read/execute various monitoring views and functions. This role is a member ofpg_read_all_settings
,pg_read_all_stats
andpg_stat_scan_tables
."to"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." I can prepare a simple patch.
Just in case, patch attached.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
Вложения
Pavel Luzanov <p.luzanov@postgrespro.ru> writes: > So, is it correct to change description of pg_monitor role from: > "Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|." > to > "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tablesare members of this role." No, it is not. That wording implies that the built-in grants are like GRANT pg_monitor TO pg_read_all_settings and so on, where the truth is the opposite. regards, tom lane
On 20.05.2021 21:10, Tom Lane wrote: > Pavel Luzanov <p.luzanov@postgrespro.ru> writes: >> So, is it correct to change description of pg_monitor role from: >> "Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|." >> to >> "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tablesare members of this role." > No, it is not. That wording implies that the built-in grants are like > > GRANT pg_monitor TO pg_read_all_settings > > and so on, where the truth is the opposite. I'm totally confused. I'm taking timeout to think about it. -- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
On 20.05.2021 21:25, Pavel Luzanov wrote:
I'm totally confused. I'm taking timeout to think about it.
I got it! It wasn't my day.)) This wording worked for me: The pg_monitor role is a member of the pg_read_all_settings role, which allows its privileges to be used. Therefore, pg_monitor can get the value of any configuration parameter. Thanks for clarifying.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company